Re: Cons and Security Validation

[Blue Boar <BlueBoar () THIEVCO COM>]

Crispin Cowan wrote:
> We're trying to pick some conventions that have strong "capture the
> flag" like games, to do some validation on our Immunix security
> technologies, similar to the Type Enforcement machine that was at DefCon
> last year.  We're already booked to go to DefCon this year, but we're
> looking for another/sooner convention to go to for a warm-up.

I personally consider these a less than ideal way to get that kind of
feedback.  I don't really have time to do a full hacking contests
rant right now... short version is that I'm not against them per se..
but I have a particular set of standards for what I consider the
"right way" to run one.

In particular answer to your question, I'd rather have a box available
to me to try and break at my leisure.  When I'm at a con, I already
can't do half of the stuff I want to.  If you want to impress people,
and actually get a little research done, keep a box available at
all times at hack.immunix.com or something.  Make the prize, if any,
something nominal.

I get really annoyed by hacking contests that are only for a few days
or a week.  I want to play, but I rarely have time at the moment
of the contest.  The prize amount isn't a factor for me for whether
I'll participate or not.  If I really want a prize, I'll get my own
copy of Pitbull or Immunix, run it on a lab machine, and develop a
private exploit.  Then I'll sit on the exploit until contest time.

Me sitting on an exploit doesn't serve anybody.  So far I really like
the work going into the Immunix project.  I'd hate to see you guys
pull what some would see as a marketing scam.  Don't get me wrong..
nothing wrong with having your box as a target in CTF... what would be
wrong would be Immunix later saying it's secure based on lack of a breakin
during CTF.

                                        BB